Cryptojacking and Its Impact Within the Financial Services Sector

Contributed by Aamir Lakhani, Lead Researcher and Cybersecurity Expert, Fortinet

Today, the financial services sector finds itself in a unique position as it adapts both its technical and business processes to meet the demands of customers looking for extended capabilities, increased convenience and greater accessibility.

This shift is driving organizations to undergo significant digital transformation in order to better meet the needs of both consumers and employees and remain competitive in an evolving market. This transformation, however, also provides a clear window of opportunity for cybercriminals looking to exploit new and overlooked network vulnerabilities.

One of the most popular trends digital transformation aims to facilitate within the financial services sector is that of cryptocurrency. Though it has been around for years, the recent leap in crypto value has brought digital currency to the front of mainstream attention. Motivated by the skyrocketing value of various cryptocurrencies like Bitcoin, Ethereum and Ripple, and the anonymity many of them provide, cybercriminals have begun to shift their efforts in order to cash in on this opportunity.

To do this, cybercriminals have developed a form of cyberattack known as cryptojacking. This occurs when malware hijacks an organization’s network elements in order to repurpose them for mining cryptocurrency. This often involves leveraging unused CPU cycles on infected devices so that these mining activities are never noticed by its victims. If left unchecked, this often “below the radar” form of cyberattack can have serious consequences to financial service firms.

Cryptojacking Within the Financial Services Sector

As shown in our most recent Threat Landscape Report for Q1 of 2018, cybercriminals are expanding their attack capabilities, looking to do more than simply collect cryptocurrency through a ransomware attack. Cryptojacking often uses the same methodologies as ransomware attacks, with one main difference: the victims don’t need to know they have been attacked in order for cybercriminals to generate a lucrative income stream. As cybercriminals continue to expand their capabilities across the kill chain, we’ve seen a 30 percent increase in cryptojacking attacks since Q4.

Cryptojacking within the financial services sector can take many forms. Whether it’s maliciously injecting exploits into the browsers of computers, known as forced mining, distributing malware across servers and IoT devices, or even hijacking Wi-Fi routers, these infections are designed to leach CPU resources in order to generate cryptocurrency for the financial gain of cybercriminals. While the impact of such attacks once caused system crashes, poor network efficiency and a sharp drop in machine speed for both personnel and consumers, newer, more sophisticated versions of cryptojacking malware often use rate-limiting buffers to minimize their impact on end users, thereby reducing the chance of their being detected.

Unfortunately, the exploit capabilities of cryptojacking have begun to increase. Cybercriminals now have the capability to cryptojack cloud-based, enterprise-level applications, as seen in a recent attack earlier this year. This means that financial service firms leveraging these application management systems within their own websites and applications could potentially host cryptojacking malware that can quickly spread to large numbers of consumer devices.

The Impact of Cryptojacking

At its most basic level, cryptojacking only operates within browser windows and Java scripts, affecting only those specific machines and devices that are infected. However, if enough network elements are infected, they can have a serious impact on efficiency and business operations.

Delivery methods are also becoming more sophisticated. Some cybercriminals are now leveraging the EternalBlue exploit, which made headlines for its use in the large-scale WannaCry ransomware attacks, to instead deliver cryptojacking malware to unsuspecting businesses. Aptly titled WannaMine, this more malicious form of cryptojacking malware has the potential to render companies across industries inoperable for days or weeks at a time. This infection can also move laterally across a network, identifying and exploiting vulnerabilities in machines and devices not properly patched or secured.

For cybersecurity professionals within the financial services sector, this is big news. Typically, the goal of cryptojacking is parasitic in nature, meaning that cybercriminals don’t want to leverage enough CPU to merit unwanted attention to their operation. However, in an industry where market orders are placed in fractions of a second, any compromise in network efficiency can have dire consequences.

What’s more, we measured the persistence of botnet infections in Q1. Of the botnet infections we looked at, more than half were cleaned the same day of the infection, but about five percent still managed to linger within a network for more than a week, indicating that successful cryptojacking infections can remain within a network far after the attack was identified and countermeasures taken.

The impact of cryptojacking doesn’t stop within the firm’s network, either. Today’s consumers expect the digital services they use to run quickly and efficiently. Those using the services of a firm experiencing a cryptojacking infection will notice slower computer/device speeds when using their websites and applications. This has the potential to adversely impact brand value and the loyalty of customers using those infected services.

To properly address the threat of cryptojacking, financial service firms need to deploy security solutions within an integrated, automated cybersecurity system capable of monitoring networks at machine speed while being able to mitigate damage and efficiently patch vulnerabilities through integrated security device collaboration. As financial service organizations continue to expand their digital offerings and further facilitate digital transformation, such integrated solutions can help ensure an effective, modern security posture that adapts to any new threat vectors introduced to the network.

Final Thoughts 

The financial services sector is a lucrative target for cyberattacks. As firms and organizations continue to make the digital transformation necessary to facilitate growing consumer demand, the attack space subsequently widens, allowing cybercriminals to leach off of internal and consumer machines and devices to harvest cryptocurrency. Next-generation tools help assure cryptojacking malware can be successfully identified and mitigated.

About the author:

Aamir Lakhani is a Global Security Strategist and Lead Researcher for FortiGuard Labs. Aamir Lakhani formulates security strategy with more than fifteen years of cybersecurity experience, his goal to make a positive impact towards the global war on cyber-crime and information security. Lakhani provides thought leadership to industry and has presented research and strategy world-wide at premier security conferences. As a cybersecurity expert, his work has included meetings with leading political figures and key policy stakeholders who help define the future of cybersecurity. 

Contributed by Aamir Lakhani, Lead Researcher and Cybersecurity Expert, Fortinet

Today, the financial services sector finds itself in a unique position as it adapts both its technical and business processes to meet the demands of customers looking for extended capabilities, increased convenience and greater accessibility.

This shift is driving organizations to undergo significant digital transformation in order to better meet the needs of both consumers and employees and remain competitive in an evolving market. This transformation, however, also provides a clear window of opportunity for cybercriminals looking to exploit new and overlooked network vulnerabilities.

One of the most popular trends digital transformation aims to facilitate within the financial services sector is that of cryptocurrency. Though it has been around for years, the recent leap in crypto value has brought digital currency to the front of mainstream attention. Motivated by the skyrocketing value of various cryptocurrencies like Bitcoin, Ethereum and Ripple, and the anonymity many of them provide, cybercriminals have begun to shift their efforts in order to cash in on this opportunity.

To do this, cybercriminals have developed a form of cyberattack known as cryptojacking. This occurs when malware hijacks an organization’s network elements in order to repurpose them for mining cryptocurrency. This often involves leveraging unused CPU cycles on infected devices so that these mining activities are never noticed by its victims. If left unchecked, this often “below the radar” form of cyberattack can have serious consequences to financial service firms.

Cryptojacking Within the Financial Services Sector

As shown in our most recent Threat Landscape Report for Q1 of 2018, cybercriminals are expanding their attack capabilities, looking to do more than simply collect cryptocurrency through a ransomware attack. Cryptojacking often uses the same methodologies as ransomware attacks, with one main difference: the victims don’t need to know they have been attacked in order for cybercriminals to generate a lucrative income stream. As cybercriminals continue to expand their capabilities across the kill chain, we’ve seen a 30 percent increase in cryptojacking attacks since Q4.

Cryptojacking within the financial services sector can take many forms. Whether it’s maliciously injecting exploits into the browsers of computers, known as forced mining, distributing malware across servers and IoT devices, or even hijacking Wi-Fi routers, these infections are designed to leach CPU resources in order to generate cryptocurrency for the financial gain of cybercriminals. While the impact of such attacks once caused system crashes, poor network efficiency and a sharp drop in machine speed for both personnel and consumers, newer, more sophisticated versions of cryptojacking malware often use rate-limiting buffers to minimize their impact on end users, thereby reducing the chance of their being detected.

Unfortunately, the exploit capabilities of cryptojacking have begun to increase. Cybercriminals now have the capability to cryptojack cloud-based, enterprise-level applications, as seen in a recent attack earlier this year. This means that financial service firms leveraging these application management systems within their own websites and applications could potentially host cryptojacking malware that can quickly spread to large numbers of consumer devices.

The Impact of Cryptojacking

At its most basic level, cryptojacking only operates within browser windows and Java scripts, affecting only those specific machines and devices that are infected. However, if enough network elements are infected, they can have a serious impact on efficiency and business operations.

Delivery methods are also becoming more sophisticated. Some cybercriminals are now leveraging the EternalBlue exploit, which made headlines for its use in the large-scale WannaCry ransomware attacks, to instead deliver cryptojacking malware to unsuspecting businesses. Aptly titled WannaMine, this more malicious form of cryptojacking malware has the potential to render companies across industries inoperable for days or weeks at a time. This infection can also move laterally across a network, identifying and exploiting vulnerabilities in machines and devices not properly patched or secured.

For cybersecurity professionals within the financial services sector, this is big news. Typically, the goal of cryptojacking is parasitic in nature, meaning that cybercriminals don’t want to leverage enough CPU to merit unwanted attention to their operation. However, in an industry where market orders are placed in fractions of a second, any compromise in network efficiency can have dire consequences.

What’s more, we measured the persistence of botnet infections in Q1. Of the botnet infections we looked at, more than half were cleaned the same day of the infection, but about five percent still managed to linger within a network for more than a week, indicating that successful cryptojacking infections can remain within a network far after the attack was identified and countermeasures taken.

The impact of cryptojacking doesn’t stop within the firm’s network, either. Today’s consumers expect the digital services they use to run quickly and efficiently. Those using the services of a firm experiencing a cryptojacking infection will notice slower computer/device speeds when using their websites and applications. This has the potential to adversely impact brand value and the loyalty of customers using those infected services.

To properly address the threat of cryptojacking, financial service firms need to deploy security solutions within an integrated, automated cybersecurity system capable of monitoring networks at machine speed while being able to mitigate damage and efficiently patch vulnerabilities through integrated security device collaboration. As financial service organizations continue to expand their digital offerings and further facilitate digital transformation, such integrated solutions can help ensure an effective, modern security posture that adapts to any new threat vectors introduced to the network.

Final Thoughts 

The financial services sector is a lucrative target for cyberattacks. As firms and organizations continue to make the digital transformation necessary to facilitate growing consumer demand, the attack space subsequently widens, allowing cybercriminals to leach off of internal and consumer machines and devices to harvest cryptocurrency. Next-generation tools help assure cryptojacking malware can be successfully identified and mitigated.

About the author:

Aamir Lakhani is a Global Security Strategist and Lead Researcher for FortiGuard Labs. Aamir Lakhani formulates security strategy with more than fifteen years of cybersecurity experience, his goal to make a positive impact towards the global war on cyber-crime and information security. Lakhani provides thought leadership to industry and has presented research and strategy world-wide at premier security conferences. As a cybersecurity expert, his work has included meetings with leading political figures and key policy stakeholders who help define the future of cybersecurity.